Saturday, October 01, 2016

A Yahoo insider believes the hackers could really have stolen
over 1 billion accounts

…To be sure,
Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number
of accounts that could have potentially been stolen could be anywhere
between 1 billion and 3 billion.

I’m not sure Fortune got this right!Perhaps I will have my Governance students
research it and write a more accurate article.

…Just recently, a
new scam has started involving fake tax bills tied to the Affordable Care Act. In one sure sign the notices are fake, many
are arriving by email—and the IRS doesn’t initiate taxpayer contact by email.

Even so, some of the
fakes are paper notices sent by regular mail and taxpayers should
watch out.

The European Union has
published its proposal (PDF) for a revised Regulation on the export of dual
use goods. The primary purpose is to
overhaul and simplify the existing controls that were designed to limit the
proliferation of weapons of mass destruction (WMDs); but it also introduces new
controls over the export of cyber surveillance and computer intrusion tools.

More explicitly, it aims at preventing "the misuse of
digital surveillance and intrusion systems that results in human rights
violations" in line with the 2015 Human Rights Action Plan and the EU
Guidelines for Freedom of Expression. New
laws are necessary because existing legislation does not provide sufficient
control over cyber-surveillance technologies.

FedEx, UPS Gear Up for Holiday Season With More Sorting Hubs,
Technology

Holiday hiring is expected to be flat at package-delivery
giants FedEx Corp.and United
Parcel Service Inc.,but that masks efforts behind the scenes
to prepare for the coming wave of e-commerce orders.

FedEx is opening four new hubs and “dozens” of small,
satellite facilities to receive, sort and ship an expected surge in packages
between Thanksgiving and Christmas, executives said this week. UPS is expanding a network of temporary
sorting hubs and is increasing its use of software to help sort packages
faster, a spokeswoman said.

Earlier this week Google introduced a new feature to Google Slides, Docs, and
Sheets that they are calling "Explore." The Explore function in Google Slides can help
you find a better layout for each slide in your presentation, help you find
previous work that you've done about the topic of your presentation, and help
you find information from the web about your topic. In the video embedded below I provide a short
overview of the new Explore function in Google Slides.

…Amazon
announced the Alexa Prize, a university competition dedicated to accelerating
the field of conversational AI. From
the press release: “The goal of the inaugural competition is to build a
‘socialbot’ on Alexa that will converse with people about popular topics and
news events. The team with the
highest-performing socialbot will win a $500,000 prize. Additionally, a prize of $1 million will be
awarded to the winning team’s university if their socialbot achieves the grand
challenge of conversing coherently and engagingly with humans for 20 minutes.”[Attention
Architecture students!Bob]

Attackers used an army of hijacked security cameras and
video recorders to launch several massive internet attacks last week, prompting
fresh concern about the vulnerability of millions of “smart” devices in homes
and businesses connected to the internet.

The assaults raised eyebrows among security experts both
for their size and for the machines that made them happen. The attackers used as many as one million Chinese-made security cameras, digital
video recorders and other infected devices to generate webpage requests and
data that knocked their targets offline, security experts said.

…“We’re thinking
this is the tip of the iceberg,”
said Dale Drew, head of security at Level
3 Communications Inc.,which runs one of the world’s largest
internet backbones, giving it a window into many of the attacks that cross the
net.

The proliferation of internet-connected devices from
televisions to thermostats provide attackers a bigger arsenal of weapons to
infiltrate. Many are intended to be plugged in and forgotten.These devices are “designed to be remote controlled over the internet,” said
Andy Ellis, security chief at network operator Akamai Technologies Inc.,some
of whose clients were affected. “They’re also never going to be updated.”

Oof. This notification from the New Jersey
Spine Center, sent to patients on September 22, describes a
real disaster where not only essential patient files and credit card
information were locked up, but their most
recent backup was too.No
wonder they paid the ransom.

On July 27, 2016, our computer
systems were attacked by a malware ransom virus called “CryptoWall.” The malware
was detected by our virus protection software but unfortunately not until after
our electronic patient records were encrypted. The virus encrypted, thereby rendering
unusable, all of our electronic medical record files that contained all of the
clinical information on our patients such as procedures, office notes, reports,
etc.

…The virus likely utilized a list of stolen
passwords and ran an automated program that attempted access until a correct
match was found.

Read the full letter here.
Their press
release, posted to their site, provides a lot less detail and doesn’t
mention paying ransom, but it does add one detail: they regained access to
their files on August 1. They do not
mention how much the ransom was.

Sometimes all you need to detect hackers or malware is an
indication that something is “different.”

Hard on the heels of the discovery of the largest
known data breach in history, Cloudera and Intel on Wednesday announced
that they've donated a new open source project to the Apache Software
Foundation with a focus on using big data analytics and machine learning for
cybersecurity.

…Based on
Cloudera's big data platform, Spot taps Apache
Hadoop for infinite log management
and data storage scale along with Apache
Spark for machine learning and near real-time anomaly detection. The software can analyze billions of events in
order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine
learning as a filter to separate bad traffic from benign and to
characterize network traffic behavior. It also uses a process including context
enrichment, noise filtering, whitelisting and heuristics to produce a shortlist
of most likely security threats.

The insurance industry apparently likes those little “driving
habit” recorders they hope you will install in your car, but this goes much
farther.

Speed cameras are banned in
Virginia, but that did not stop the insurance industry from deploying them on
state highways.As part of an effort to
promote the issuance of speeding tickets, the Insurance Institute for
Highway Safety (IIHS) and the for-profit contractor Brekford set up ten radar
units that they used to photograph the faces of motorists and identify them
through Department of Motor Vehicles (DMV) records. The group used the data collected to call for
lowering of speed limits.

The National Motorists
Association (NMA) noticed one flaw with the IIHS plan — IIHS never asked for
permission to set up the cameras. On
Wednesday the group filed a complaint with the Commonwealth Transportation
Board, which has jurisdiction over Virginia highways. READ MORE….

Can police prevent hate crimes by
monitoring racist banter on social media?

Researchers will be testing this
concept over the next three years in Los Angeles, marking a new frontier in
efforts by law enforcement to predict and prevent crimes.

During a three-year experiment,
British researchers working with the Santa Monica-based Rand Corp. will be
monitoring millions of tweets related to the L.A. area in an effort to identify
patterns and markers that prejudice-motivated violence is about to occur in
real time.

The researchers then will compare
the data against records of reported violent acts.

In a ruling issued late last
week, U.S. District Court Judge Lucy Koh in the Northern District of California
ruled that people who are suing Google can proceed
even without proof of financial injury.

[…]

The ruling stems from a
lawsuit filed
last year by San Francisco resident Daniel Matera, who said he doesn’t have a Gmail account, but is forced to
communicate with Gmail users due to the “ubiquity of Gmail.”

In what is likely to infuriate those who believe that
the Federal Trade Commission has already abused its authority in its
relentless enforcement action against a small cancer-detecting laboratory,
the FTC has denied
LabMD’s application for a stay of their final
order while LabMD appeals to a federal court.

In explaining its denial, the Commission said it
looked at four factors:

(1) “the likelihood of the
applicant’s success on appeal”; (2) “whether the applicant will suffer
irreparable harm if a stay is not granted”; (3) “the degree of injury to other
parties if a stay is granted”; and (4) the public interest. It is the
applicant’s burden to establish that a stay is warranted. Toys “R” Us, Inc.,
126 F.T.C. 695, 698 (1998).

Because the Commission believes it is right, it
fails to see LabMD’s chances of success on appeal. If they didn’t believe they were right, they
never would have issued their final decision and order, right? So the first factor is somewhat ridiculous and
boils down to, “We thought we were right, we think we are right, and therefore,
LabMD has no real chance of winning an appeal against us.”

On the second factor, that the Commission failed to
see “irreparable harm” given the cost of notifications and implementing the
comprehensive data security plan is…. shocking.

As to the degree of injury to other parties if the stay is
granted, given that the FTC never bothered
to contact even a single patient to inquire whether there had been any harm, the
following borders on the obscene:

Because LabMD never notified any
affected consumers of the breach, we do not know how many consumers may have
suffered harm due, for example, to identity or medical identity theft.

But they could have known – and chose not to find
out.

Keep in mind that as HHS spokesperson Rachel Seeger wrote
to this blogger, HHS not only declined to join FTC in any action against LabMD,
but this wasn’t even a reportable breach under HIPAA in 2008. There was no requirement for LabMD to notify
anyone. So they didn’t and the FTC never
did, and now the FTC would require LabMD to notify eight years
later but it can’t wait for an appeal to a court?

Without notification, affected
consumers and their insurance companies can do little to reduce the risk of
harm from identity and medical identity theft or to address harms that may
already have occurred.

They are, of course, referring to the “risk of harm” that
they decided was substantial, even though there was no evidence of any harm to
any person. Nor did they provide
controlled and replicated research demonstrating that simply having data
exposed causes substantial injury to consumers. If we ask people, “How do you feel that your
lab test results were exposed and others could have downloaded them?” I
hypothesize that many people would say they would be unhappy about that. But if we ask them, “Do you feel you have been
harmed by that exposure?” I suspect that the vast majority would say
that they had not been harmed at all, much less substantially harmed. Would even a few people claim significant
harm? It’s an empirical question, and
FTC provided no evidence on that point.

As for the fourth, and “public interest” factor, I think
the public’s interest is in getting the FTC’s authority and the notice issues
clarified by the courts, and the denial of the stay is just another poor
decision in a long chain of poor decisions in this case.

Federal regulators on Thursday overhauled the system that
pushes alerts to smartphones and other mobile devices in an emergency.

Alerts that were once restricted to 90 characters will now
be as long as 360 for some types of networks following the Federal
Communication’s vote on the new rules.

And officials responding to emergencies will now be able to include links and
phone numbers in all types of alerts. That
could allow law enforcement authorities to link to maps, for example, or other
photos.

…The commission
also told wireless providers to support alerts that were sent in Spanish. They will also now formally consider whether
to require support for other languages as well.

…The item gained
a higher profile after authorities in New York City used the alerts system to
send a message to smartphones informing the public that it was searching for
Ahmad Khan Rahami, a suspect in a bombing in Manhattan and New Jersey earlier
this month.

…We’ve recently
joined the ranks of Google’s billion-user products. Google Cloud Platform now
serves over one billion end-users through its customers’ products and services.

To meet this growing demand, we’ve reached an exciting
turning point in our geographic expansion efforts. Today, we announced the locations of eight new
Google Cloud
Regions — Mumbai, Singapore, Sydney, Northern Virginia, São Paulo,
London, Finland and Frankfurt — and there are more regions to be announced next
year.

Companies are spending
millions on bug bounty programs whose goal is to identify vulnerabilities, but
it might be more efficient to take a proactive approach and focus on
identifying flaws in the development phase.

A survey
commissioned by application security company Veracode shows that of 500 U.S.
decision makers working in cybersecurity, 83 percent
have admitted releasing code before testing it for security holes and bugs.In contrast, a vast majority of them are
confident that their software is secure.

Ford Motor Co. thinks new mobility services could yield
profit margins more than double what it makes selling cars and trucks, and
Executive Chairman Bill Ford on Thursday said that’s because the automaker is
becoming more nimble and forward-thinking.

“In time, if we do this right, we will become less
capital-intensive,” he said at the World Mobility Leadership Forum, a two-day
conference in Romulus focused on the changing role of transportation. “We’ll have more revenue streams that aren’t
dependent upon heavily fixed-costs investment.”

QuickKey is a popular iOS and Android app that can help you
save a ton of time when grading multiple choice or true/false quizzes. I first learned about it a few years ago when
a colleague of mine was raving about it on Facebook.

Here’s the basics of how it works; create your quiz on the
Quick Key
website then print and distribute a bubble sheet. After your students have completed the bubble
sheet you simply scan the sheets with
your phone and the grading is done for you. As you can learn in the video embedded below,
QuickKey will work on the cheapest of Android phones as well as on more
expensive Android phones and on iPhones.

Thursday, September 29, 2016

Well, Chris Vickery and I tried to warn everyone about
making these lists public and not securing them better. Now we see this, by Nicole Rojas:

During a House Judiciary
Committee hearing on Wednesday (28 September), FBI Director James Comey
revealed hackers have attempted to hack into voter registration sites in more
than a dozen states and on several occasions. Investigators believe Russia is behind the
attempted hacks, officials said.

“There have been a variety of
scanning activities which is a preamble for potential intrusion activities as
well as some attempted intrusions at voter database registrations beyond those
we knew about in July and August,” Comey said.

Fear of hackers reading private
e-mails in cloud-based systems like Microsoft Outlook, Gmail, or Yahoo has
recently sent regular people and public officials scrambling to delete entire
accounts full of messages dating back years. What we don’t expect is our own government to
hack our e-mail — but it’s happening. Federal court cases going on right now are
revealing that federal officials can read all your e-mail without your
knowledge. For example, in the case of U.S. v. Ravelo, pending in Newark, New
Jersey, the government used a search
warrant to download the entire contents of a lawyer’s personal cellphone
– more than 90,000 items including text messages, e-mails, contact lists, and
photos. When the phone’s owner
complained to a judge, the government argued it could look at everything (except for privileged lawyer-client communications)
before the court even issued a ruling. The
judge in Ravelo is expected to issue a preliminary ruling on the feds’
arguments sometime in October. All
Americans should be watching carefully to what happens next in these cases –
the government may be already watching you without your knowledge.

The theme of the course was to take a number of security
events that illustrated various attacks I'd covered in the ethical hacking
series and talk through some of the mechanics. Deconstruct them, if you like. These are real world security events so this
is far from hypothetical, it's things that have actually happened. Here's what we cover:

Australian Attorney-General
George Brandis has said the government will introduce legislation to amend
the Privacy Act for the purposes of protecting anonymised
datasets that are collected and published by the Commonwealth.

Claiming that the “privacy of
citizens is of paramount importance” to the government, Brandis said the
amendment, which will be introduced in the coming months during the spring
sittings of Parliament, will criminalise the re-identification of de-identified
data.

HackerOne helps you find vulnerabilities in your
internet-facing systems. We do it
through a unique model where we have a community of researchers and hackers
around the world who will hack you on
your request and they will send you a report outlining what they
found. You send them money as a thank you if the report was useful. [Or, we
could help ourselves…Bob]If it wasn’t, you pay nothing.

My Software Architecture students will be looking for Research
Projects. I thought I’d list a few
potential areas here.

American Airlines Group Inc., nearly three years after
merging with US Airways, faces a major information-technology challenge this
weekend (Sept. 30-Oct.1), when it transitions all pilots and planes to one
“flight operating system.”

Every day, humans type out more than 200 billion emails,
hundreds of millions of tweets, and innumerable texts, chats, and private
messages. No one person could pick
through even a tiny sliver of this information and stitch together themes and
trends—but computers are starting to be able to. For more than a decade, researchers have been
developing computer programs that can ingest enormous amounts of writing to try
and understand the emotions stirred up by an idea or a product.

…The group's goal
is to create the first industry-led consortium that would also include academic
and nonprofit researchers, leading the effort to essentially ensure AI's
trustworthiness: driving research toward technologies that are ethical, secure
and reliable — that help rather than hurt — while also helping to diffuse fears
and misperceptions about it.

"We plan to discuss, we plan to publish, we plan to
also potentially sponsor some research projects that dive into specific
issues," Banavar says, "but foremost, this is a platform for open discussion
across industry."

…The results,
which are based on an online survey of 1,119 U.S. customers, estimates that
pay-TV providers could lose about $1,248 per cord-cutter annually. That’s because the average cord-cutter saves
$104 a month—about 56% of their bill—from dropping cable TV.

Deutsche Bank can only be saved by the German government,
strategist says

Only a substantial intervention by the German government
can stop the collapse of the country's largest lender, Deutsche Bank, according to Stefan Müller,
the CEO of Frankfurt-based boutique research company DGAW.

"Deutsche Bank doesn't realize that something serious
needs to happen," he told CNBC via telephone on Thursday morning. "(CEO John) Cryan clearly showed that he
has no idea how to survive."

Last year I published a 30 page document that I called The Practical
Ed Tech Handbook. This week I spent
some time revising that document and updating it the 2016-17 school year. The Practical
Ed Tech Handbook isn't just a list of my favorite resources. I've included ideas for using these resources
and in many cases I've included links to video tutorials about my favorite
resources.

…In a report
identifying eight trends in the underworld of cybercrime, Europol warned that
cybercrime offences were becoming the norm and overtaking the reporting of
"traditional" crimes in some EU countries.

U.S. officials are increasingly confident that the hacker
Guccifer 2.0 is part of a network of individuals and groups kept at arm’s
length by Russia to mask its involvement in cyberintrusions such as the theft
of thousands of Democratic Party documents, according to people familiar with
the matter.

…Last week, U.S.
intelligence chief James Clapper said it “shouldn’t come as a big shock to
people” that Russia is behind
the hacking operation. While Russia
has tried to interfere in U.S. elections since at least the 1960s by spying and
funneling money to particular political groups, “I think it’s more dramatic
maybe because now they have the cyber tools,” he said.

Just in time for my IT Governance students to ride to the
rescue! Do the boring, obvious stuff
first, then get creative.

…Those favoring
practical experience over checklist security will not be happy. Most information security professionals agree
that practical experience and judgment far outweigh checklist security in protecting
organizations. Some would argue that
diverting tight resources into procedural or documenting information security
controls can actually hamper protection efforts. And in some aspects this argument make sense.

The new
handbook is “heavy” with requirements to document and provide evidence of
control procedures used to manage the bank’s (or financial services
company’s) information security effort. This
will surely frustrate checklist security opponents. And for many requirements, specific expectations
are provided that the bank would be expected to have to achieve the
requirements objectives.

Bank of America and Microsoft partner to create blockchain
applications for trade finance

Today, Microsoft announced a collaboration with Bank of America to develop blockchain
technologies for their trade finance transacting. The companies are developing a proof of
concept using Microsoft’s Azure-based Blockchain-as-a-Service.
The hope is that this collaboration will
create more automated and cost-effective corporate treasury operations for both
Microsoft and Bank of America.

Despite considerable interest in the Internet of Things,
many organizations do not yet have an active IoT project. Our recent research report, “Data
Sharing and Analytics Drive Success With IoT,” finds that 60% of the
organizations responding to our global survey do not yet have an active IoT
project.

Wal-Mart Stores Inc. is in advanced discussions to invest as much as $1 billion into India’s
Flipkart Online Services Pvt, as the two companies battle Amazon.com Inc. in
e-commerce, according to a person familiar with the matter.

…Flipkart is the
largest online retailer in India, but its lead has been under assault as Amazon
steps up investments in the country. Chief
Executive Officer Jeff Bezos said in June he plans to spend another $3 billion in India to gain customers in the
fast-growing market.

…India’s online
market will expand at an average of 45 percent annually in the next four years
and reach $28 billion by 2020, according to estimates from Kotak Institutional
Equities.

…But if Amazon
and Wal-Mart both stepping up their investments, Alibaba may have to consider
doing the same, either with Snapdeal or on its own.

…Many long-time
Office users will be unwilling to transition away from the apps they’re so
used to working with.Whether you’re an
Office veteran or a complete newcomer to these types of apps, iWork may deserve
another chance. Let’s take a look at
why.

Sometimes humor is where you find it.In this case, on a Statistics website.

Nobody wants to hear about other people’s fantasy football
teams, but it is rather delightful to rip them. Last week 0.9 percent of ESPN fantasy players
started Tom Brady, who is still serving a four game suspension because of
Deflategate. Meanwhile, Trevor Siemian
of the Denver Broncos did indeed play and was the best QB in Week 3, yet a mere
0.7 percent of players started him. I
will never pass up an opportunity to mock New England fans who think a suspended
Brady will still outscore players who actually take the field. [SportsCenter]

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.